I want to analysis what's going through a RJ45 Cable without using any casual MITM (Arp poisoning etc...) but while beeing the MITM.

I explain : Instead of pluging computer A eth0 to router R eth0 I want to plug computer A eth0 to computer B eth0 and plug computer B eth1 to router R eth0

A(eth0) <---> R(eth0)
A(eth0) <---> (eth0)B(eth1) <---> R(eth0)

The computer B should be able to log everything that is passing through him.
Computer A and Router R shouldn't be aware of what's hapening (they should both think they are directly connected). B is kind of spying device.

(I'm doing this in order to make a fake firmware update on the "TV Box" that my ISP provide

Cool, interesting question. Trying to figure out now your situation. You'll need to do some port mirroring which is transparent to both sites.
–
laikaOct 23 '12 at 15:44

1

I also think it's interessant question ;) If I manage to have a good starting point here I'll open a GitHub project
–
IggYOct 23 '12 at 16:05

2

If you can get an Ethernet hub, not a switch, then this is trivial to setup. Instead of inserting computer B between "A" and "R", install the hub and also connect "B" to the hub. Run Wireshark on "B" to capture the network traffic.
–
sawdustOct 23 '12 at 19:09

1 Answer
1

Since you apparently have physical access to the network connection, then insertion of an Ethernet hub is probably the simplest solution. Instead of inserting computer B between A and R, install the hub and also connect B to the hub. Run Wireshark on B to capture the network traffic.

If you do not already have an Ethernet hub, then you will have to be aware of the pitfalls of trying to acquire one. You cannot use a switch for this task, and some "hubs" are actually switches! Useful information on Ethernet hubs is here.

The computer B should be able to log everything that is passing through him.

Wireshark will certainly be able to capture/log all network packets transmitted by computer A and router R. Wireshark will setup the specified port to promiscuous mode so that the hardware will not filter out any received Ethernet frames.

Computer A and Router R shouldn't be aware of what's hapening (they should both think they are directly connected).

The only clue that there is a hub rather than a switch in the network is that the links are forced to operate at half duplex rather than full duplex. The net effect is that latency might be a little higher and throughput will be reduced. But these same conditions could also be caused by increased network traffic (or your proposed scheme of inserting Computer B), so a user would have to be astute to detect the presence of the hub (assuming it's not visible).

Any idea on the network configuration i should use ?

My preference when using Wireshark is to use a secondary Ethernet port of the computer, either a second NIC or a USB-to-Ethernet adapter. This scheme allows the configuration of the "sniffing port" to be customized without disrupting the configuration of the (other) port for "normal" network activity (e.g. IP address assignment by DHCP & Internet access). Of course this "sniffing port" should be assigned a (unique) static IP address in the same subnet as computer A.

This sniffing PC would optimally be running a Linux OS. Windows machines tend to ignore non-Windows machines on the network. Linux also has the ethtool command to disable transmission for the "pause parameter" and "checksumming", but I've never used these options, and don't know if they would help make this PC less detectable.

If you do use a Windows OS on the sniffer computer, then be sure to uninstall all protocols (e.g. Client for Microsoft Networks, File and Printer Sharing for Microsoft Neworks, Link-Layer Topology Discovery ...) exceptInternet Protocol Version 4 under Local Area Connection Properties for the sniffer's Ethernet device.

Some switches also have port mirroring features if he can't get hold of a suitable hub. e.g. one of the mikrotik switches I have can do this.
–
Matt HOct 26 '12 at 2:03

Thank you for this answer ! The only problem that remains is that I wanna be able to edit the packets (the end objective is to make a fake firmware update) and I don't see how to do it with an hub :s However, thank you again for this clear answer on each point !
–
IggYOct 26 '12 at 8:40